package com.jpro.module.system.service.user;

import cn.hutool.core.collection.CollUtil;
import cn.hutool.core.collection.CollectionUtil;
import cn.hutool.core.date.LocalDateTimeUtil;
import cn.hutool.core.io.IoUtil;
import cn.hutool.core.util.ReUtil;
import cn.hutool.core.util.StrUtil;
import com.google.common.annotations.VisibleForTesting;
import com.jpro.framework.common.enums.CommonStatusEnum;
import com.jpro.framework.common.enums.UserTypeEnum;
import com.jpro.framework.common.exception.ServiceException;
import com.jpro.framework.common.pojo.CommonResult;
import com.jpro.framework.common.pojo.PageResult;
import com.jpro.framework.common.util.collection.CollectionUtils;
import com.jpro.framework.common.util.object.BeanUtils;
import com.jpro.framework.common.util.validation.ValidationUtils;
import com.jpro.framework.datapermission.core.util.DataPermissionUtils;
import com.jpro.framework.security.core.LoginUser;
import com.jpro.framework.security.core.util.SecurityFrameworkUtils;
import com.jpro.framework.tenant.core.context.TenantContextHolder;
import com.jpro.module.infra.api.config.ConfigApi;
import com.jpro.module.infra.api.file.FileApi;
import com.jpro.module.system.api.user.dto.MemberCreateReqVO;
import com.jpro.module.system.api.user.dto.MemberUpdateReqVO;
import com.jpro.module.system.api.user.vo.UserLockReqVO;
import com.jpro.module.system.cache.CacheService;
import com.jpro.module.system.config.JproProperties;
import com.jpro.module.system.controller.admin.user.vo.profile.UserProfileUpdatePasswordReqVO;
import com.jpro.module.system.controller.admin.user.vo.profile.UserProfileUpdateReqVO;
import com.jpro.module.system.controller.admin.user.vo.user.*;
import com.jpro.module.system.convert.user.UserConvert;
import com.jpro.module.system.dal.dataobject.dept.DeptDO;
import com.jpro.module.system.dal.dataobject.dept.UserPostDO;
import com.jpro.module.system.dal.dataobject.user.AdminUserDO;
import com.jpro.module.system.dal.mysql.dept.UserPostMapper;
import com.jpro.module.system.dal.mysql.user.AdminUserMapper;
import com.jpro.module.system.enums.user.EnumUserStatus;
import com.jpro.module.system.service.dept.DeptService;
import com.jpro.module.system.service.dept.PostService;
import com.jpro.module.system.service.permission.PermissionService;
import com.jpro.module.system.service.tenant.TenantService;
import com.jpro.module.system.util.SM2Util;
import com.jprocms.module.cms.api.GlobalConfigApi;
import com.jprocms.module.cms.api.dto.GlobalConfigRespVO;
import com.jprocms.module.cms.api.dto.SecurityConfig;
import com.jprocms.module.cms.enums.EnumPasswordRule;
import com.jprocms.module.cms.enums.EnumWeakPasswordProcessMode;
import com.mzt.logapi.context.LogRecordContext;
import com.mzt.logapi.service.impl.DiffParseFunction;
import com.mzt.logapi.starter.annotation.LogRecord;
import lombok.extern.slf4j.Slf4j;
import org.springframework.context.annotation.Lazy;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;

import javax.annotation.Resource;
import javax.validation.ConstraintViolationException;
import java.io.InputStream;
import java.time.LocalDateTime;
import java.time.temporal.ChronoUnit;
import java.util.*;

import static com.jpro.framework.common.exception.util.ServiceExceptionUtil.exception;
import static com.jpro.framework.common.util.collection.CollectionUtils.convertList;
import static com.jpro.framework.common.util.collection.CollectionUtils.convertSet;
import static com.jpro.module.system.dal.redis.RedisKeyConstants.LOGIN_ERROR_USER;
import static com.jpro.module.system.enums.ErrorCodeConstants.*;
import static com.jpro.module.system.enums.LogRecordConstants.*;
import static com.jprocms.module.cms.constant.CmsSysConstants.CMS_TENANT_ID;

/**
 * 后台用户 Service 实现类
 *
 * @author JPROCMS
 */
@Service("adminUserService")
@Slf4j
public class AdminUserServiceImpl implements AdminUserService {

    static final String USER_INIT_PASSWORD_KEY = "system.user.init-password";

    @Resource
    private AdminUserMapper userMapper;
    @Resource
    private CacheService cacheService;
    @Resource
    private DeptService deptService;
    @Resource
    private PostService postService;
    @Resource
    private PermissionService permissionService;
    @Resource
    private PasswordEncoder passwordEncoder;
    @Resource
    @Lazy // 延迟，避免循环依赖报错
    private TenantService tenantService;

    @Resource
    private UserPostMapper userPostMapper;

    @Resource
    private FileApi fileApi;
    @Resource
    private ConfigApi configApi;

    @Resource
    private GlobalConfigApi globalConfigApi;
    @Resource
    private JproProperties jproProperties;


    @Override
    @Transactional(rollbackFor = Exception.class)
    @LogRecord(type = SYSTEM_USER_TYPE, subType = SYSTEM_USER_CREATE_SUB_TYPE, bizNo = "{{#user.id}}",
            success = SYSTEM_USER_CREATE_SUCCESS)
    public Long createUser(UserSaveReqVO reqVO) {
        // 1.1 校验账户配合
        tenantService.handleTenantInfo(tenant -> {
            long count = userMapper.selectCount();
            if (count >= tenant.getAccountCount()) {
                throw exception(USER_COUNT_MAX, tenant.getAccountCount());
            }
        });
        // 校验正确性
        validateUserForCreateOrUpdate(null, reqVO.getUsername(), reqVO.getMobile(), reqVO.getEmail(),
                reqVO.getDeptId(), reqVO.getPostIds());
        //解密传输的密码
        final String decryptPassword = SM2Util.decrypt(reqVO.getPassword(), jproProperties.getClientSm2PrivateKey());
        validatePassword(decryptPassword);
        // 插入用户
        AdminUserDO user = BeanUtils.toBean(reqVO, AdminUserDO.class);
        // 1.2 校验正确性
        validateUserForCreateOrUpdate(null, reqVO.getUsername(),
                reqVO.getMobile(), reqVO.getEmail(), reqVO.getDeptId(), reqVO.getPostIds());
        // 2.1 插入用户
        user.setStatus(CommonStatusEnum.ENABLE.getStatus()); // 默认开启
        user.setPassword(encodePassword(reqVO.getPassword())); // 加密密码
        userMapper.insert(user);
        // 2.2 插入关联岗位
        if (CollectionUtil.isNotEmpty(user.getPostIds())) {
            userPostMapper.insertBatch(convertList(user.getPostIds(),
                    postId -> new UserPostDO().setUserId(user.getId()).setPostId(postId)));
        }

        // 3. 记录操作日志上下文
        LogRecordContext.putVariable("user", user);
        return user.getId();
    }

    @Override
    @Transactional(rollbackFor = Exception.class)
    @LogRecord(type = SYSTEM_USER_TYPE, subType = SYSTEM_USER_UPDATE_SUB_TYPE, bizNo = "{{#updateReqVO.id}}",
            success = SYSTEM_USER_UPDATE_SUCCESS)
    public void updateUser(UserSaveReqVO updateReqVO) {
        updateReqVO.setPassword(null); // 特殊：此处不更新密码
        // 1. 校验正确性
        AdminUserDO oldUser = validateUserForCreateOrUpdate(updateReqVO.getId(), updateReqVO.getUsername(),
                updateReqVO.getMobile(), updateReqVO.getEmail(), updateReqVO.getDeptId(), updateReqVO.getPostIds());

        // 2.1 更新用户
        AdminUserDO updateObj = BeanUtils.toBean(updateReqVO, AdminUserDO.class);
        userMapper.updateById(updateObj);
        // 2.2 更新岗位
        updateUserPost(updateReqVO, updateObj);

        // 3. 记录操作日志上下文
        LogRecordContext.putVariable(DiffParseFunction.OLD_OBJECT, BeanUtils.toBean(oldUser, UserSaveReqVO.class));
        LogRecordContext.putVariable("user", oldUser);
    }

    private void updateUserPost(UserSaveReqVO reqVO, AdminUserDO updateObj) {
        Long userId = reqVO.getId();
        Set<Long> dbPostIds = convertSet(userPostMapper.selectListByUserId(userId), UserPostDO::getPostId);
        // 计算新增和删除的岗位编号
        Set<Long> postIds = CollUtil.emptyIfNull(updateObj.getPostIds());
        Collection<Long> createPostIds = CollUtil.subtract(postIds, dbPostIds);
        Collection<Long> deletePostIds = CollUtil.subtract(dbPostIds, postIds);
        // 执行新增和删除。对于已经授权的岗位，不用做任何处理
        if (!CollectionUtil.isEmpty(createPostIds)) {
            userPostMapper.insertBatch(convertList(createPostIds,
                    postId -> new UserPostDO().setUserId(userId).setPostId(postId)));
        }
        if (!CollectionUtil.isEmpty(deletePostIds)) {
            userPostMapper.deleteByUserIdAndPostId(userId, deletePostIds);
        }
    }

    @Override
    public void updateUserLogin(Long id, String loginIp) {
        //更新登录次数
        final AdminUserDO user = getUser(id);
        Long loginCount = 1L;
        if (user.getLoginCount() != null) {
            loginCount = loginCount + 1;
        }
        userMapper.updateById(new AdminUserDO().setId(id).setLoginIp(loginIp).setLoginDate(LocalDateTime.now()).setLoginCount(loginCount));
    }

    @Override
    public void updateUserProfile(Long id, UserProfileUpdateReqVO reqVO) {
        // 校验正确性
        validateUserExists(id);
        validateEmailUnique(id, reqVO.getEmail());
        validateMobileUnique(id, reqVO.getMobile());
        // 执行更新
        userMapper.updateById(BeanUtils.toBean(reqVO, AdminUserDO.class).setId(id));
    }

    @Override
    public void updateUserPassword(Long id, UserProfileUpdatePasswordReqVO reqVO) {
        // 校验旧密码密码
        final String decryptOldPassword = SM2Util.decrypt(reqVO.getOldPassword(), jproProperties.getClientSm2PrivateKey());
        final String decryptNewPassword = SM2Util.decrypt(reqVO.getNewPassword(), jproProperties.getClientSm2PrivateKey());
        validateOldPassword(id, decryptOldPassword);
        validatePassword(decryptNewPassword);
        // 执行更新
        AdminUserDO updateObj = new AdminUserDO().setId(id);
        updateObj.setPassword(encodePassword(decryptNewPassword)); // 加密密码
        updateObj.setPasswordChangeDate(LocalDateTime.now()); //主动修改密码时间
        userMapper.updateById(updateObj);
    }

    @Override
    public void resetUserPassword(Long id, String newPassword) {
        final String decryptNewPassword = SM2Util.decrypt(newPassword, jproProperties.getClientSm2PrivateKey());
        validatePassword(decryptNewPassword);
        // 执行更新
        AdminUserDO updateObj = new AdminUserDO().setId(id);
        updateObj.setPassword(encodePassword(decryptNewPassword)); // 加密密码
        updateObj.setPasswordChangeDate(LocalDateTime.now()); //主动修改密码时间
        userMapper.updateById(updateObj);
    }

    @Override
    public String updateUserAvatar(Long id, InputStream avatarFile) {
        validateUserExists(id);
        // 存储文件
        String avatar = fileApi.createFile(IoUtil.readBytes(avatarFile));
        // 更新路径
        AdminUserDO sysUserDO = new AdminUserDO();
        sysUserDO.setId(id);
        sysUserDO.setAvatar(avatar);
        userMapper.updateById(sysUserDO);
        return avatar;
    }

    @Override
    public String updateUserAvatar(Long id, String url) {
        validateUserExists(id);
        // 更新路径
        AdminUserDO sysUserDO = new AdminUserDO();
        sysUserDO.setId(id);
        sysUserDO.setAvatar(url);
        userMapper.updateById(sysUserDO);
        return url;
    }

    @Override
    @LogRecord(type = SYSTEM_USER_TYPE, subType = SYSTEM_USER_UPDATE_PASSWORD_SUB_TYPE, bizNo = "{{#id}}",
            success = SYSTEM_USER_UPDATE_PASSWORD_SUCCESS)
    public void updateUserPassword(Long id, String password) {
        // 校验用户存在
        AdminUserDO user = validateUserExists(id);
        //解密传输加密的密码
        final String decryptPassword = SM2Util.decrypt(password, jproProperties.getClientSm2PrivateKey());
        validatePassword(decryptPassword);
        // 更新密码
        AdminUserDO updateObj = new AdminUserDO();
        updateObj.setId(id);
        updateObj.setPassword(encodePassword(decryptPassword)); // 加密密码
        updateObj.setPasswordResetDate(LocalDateTime.now()); //重置密码时间
        userMapper.updateById(updateObj);

        // 3. 记录操作日志上下文
        LogRecordContext.putVariable("user", user);
        LogRecordContext.putVariable("newPassword", decryptPassword);
    }

    @Override
    @LogRecord(type = SYSTEM_USER_TYPE, subType = SYSTEM_USER_UPDATE_STATUS_SUB_TYPE, bizNo = "{{#id}}", success = SYSTEM_USER_UPDATE_STATUS_SUCCESS)
    public void updateUserStatus(Long id, Integer status) {
        // 校验用户存在
        validateUserExists(id);
        // 更新状态
        AdminUserDO updateObj = new AdminUserDO();
        updateObj.setId(id);
        updateObj.setStatus(status);
        if (EnumUserStatus.DISABLE.getStatus().equals(status)) {
            updateObj.setDisableReason("手动禁用");
        }
        userMapper.updateById(updateObj);

        //手动启用则清理登录错误次数的缓存
        if (EnumUserStatus.ENABLE.equals(status)) {
            String cacheKey = LOGIN_ERROR_USER + ":" + id;
            cacheService.deleteObject(cacheKey);
        }
        // 3. 记录操作日志上下文
        AdminUserDO user = getUser(id);
        LogRecordContext.putVariable("user", user);
        LogRecordContext.putVariable("status", status);
    }

    @Override
    @Transactional(rollbackFor = Exception.class)
    @LogRecord(type = SYSTEM_USER_TYPE, subType = SYSTEM_USER_DELETE_SUB_TYPE, bizNo = "{{#id}}",
            success = SYSTEM_USER_DELETE_SUCCESS)
    public void deleteUser(Long id) {
        // 1. 校验用户存在
        AdminUserDO user = validateUserExists(id);

        // 2.1 删除用户
        userMapper.deleteById(id);
        // 2.2 删除用户关联数据
        permissionService.processUserDeleted(id);
        // 2.2 删除用户岗位
        userPostMapper.deleteByUserId(id);

        // 3. 记录操作日志上下文
        LogRecordContext.putVariable("user", user);
    }

    @Override
    public AdminUserDO getUserByUsername(String username) {
        return userMapper.selectByUsername(username);
    }

    @Override
    public AdminUserDO getUserByMobile(String mobile) {
        return userMapper.selectByMobile(mobile);
    }

    @Override
    public PageResult<AdminUserDO> getUserPage(UserPageReqVO reqVO) {
        return userMapper.selectPage(reqVO, getDeptCondition(reqVO.getDeptId()));
    }

    @Override
    public AdminUserDO getUser(Long id) {
        return userMapper.selectById(id);
    }

    @Override
    public List<AdminUserDO> getUserListByDeptIds(Collection<Long> deptIds) {
        if (CollUtil.isEmpty(deptIds)) {
            return Collections.emptyList();
        }
        return userMapper.selectListByDeptIds(deptIds);
    }

    @Override
    public List<AdminUserDO> getUserListByPostIds(Collection<Long> postIds) {
        if (CollUtil.isEmpty(postIds)) {
            return Collections.emptyList();
        }
        Set<Long> userIds = convertSet(userPostMapper.selectListByPostIds(postIds), UserPostDO::getUserId);
        if (CollUtil.isEmpty(userIds)) {
            return Collections.emptyList();
        }
        return userMapper.selectBatchIds(userIds);
    }

    @Override
    public List<AdminUserDO> getUserList(Collection<Long> ids) {
        if (CollUtil.isEmpty(ids)) {
            return Collections.emptyList();
        }
        return userMapper.selectBatchIds(ids);
    }

    @Override
    public List<AdminUserDO> getUserList(UserExportReqVO reqVO) {
        return userMapper.selectList(reqVO, getDeptCondition(reqVO.getDeptId()));
    }

    @Override
    public void validateUserList(Collection<Long> ids) {
        if (CollUtil.isEmpty(ids)) {
            return;
        }
        // 获得岗位信息
        List<AdminUserDO> users = userMapper.selectBatchIds(ids);
        Map<Long, AdminUserDO> userMap = CollectionUtils.convertMap(users, AdminUserDO::getId);
        // 校验
        ids.forEach(id -> {
            AdminUserDO user = userMap.get(id);
            if (user == null) {
                throw exception(USER_NOT_EXISTS);
            }
            if (!CommonStatusEnum.ENABLE.getStatus().equals(user.getStatus())) {
                throw exception(USER_IS_DISABLE, user.getNickname());
            }
        });
    }

    @Override
    public List<AdminUserDO> getUserListByNickname(String nickname) {
        return userMapper.selectListByNickname(nickname);
    }

    /**
     * 获得部门条件：查询指定部门的子部门编号们，包括自身
     * @param deptId 部门编号
     * @return 部门编号集合
     */
    private Set<Long> getDeptCondition(Long deptId) {
        if (deptId == null) {
            return Collections.emptySet();
        }
        Set<Long> deptIds = convertSet(deptService.getChildDeptList(deptId), DeptDO::getId);
        deptIds.add(deptId); // 包括自身
        return deptIds;
    }

    private AdminUserDO validateUserForCreateOrUpdate(Long id, String username, String mobile, String email,
                                                      Long deptId, Set<Long> postIds) {
        // 关闭数据权限，避免因为没有数据权限，查询不到数据，进而导致唯一校验不正确
        return DataPermissionUtils.executeIgnore(() -> {
            // 校验用户存在
            AdminUserDO user = validateUserExists(id);
            // 校验用户名唯一
            validateUsernameUnique(id, username);
            // 校验手机号唯一
            validateMobileUnique(id, mobile);
            // 校验邮箱唯一
            validateEmailUnique(id, email);
            // 校验部门处于开启状态
            deptService.validateDeptList(CollectionUtils.singleton(deptId));
            // 校验岗位处于开启状态
            postService.validatePostList(postIds);
            return user;
        });
    }

    @VisibleForTesting
    AdminUserDO validateUserExists(Long id) {
        if (id == null) {
            return null;
        }
        AdminUserDO user = userMapper.selectById(id);
        if (user == null) {
            throw exception(USER_NOT_EXISTS);
        }
        return user;
    }

    @VisibleForTesting
    void validateUsernameUnique(Long id, String username) {
        if (StrUtil.isBlank(username)) {
            return;
        }
        AdminUserDO user = userMapper.selectByUsername(username);
        if (user == null) {
            return;
        }
        // 如果 id 为空，说明不用比较是否为相同 id 的用户
        if (id == null) {
            throw exception(USER_USERNAME_EXISTS);
        }
        if (!user.getId().equals(id)) {
            throw exception(USER_USERNAME_EXISTS);
        }
    }

    @VisibleForTesting
    void validateEmailUnique(Long id, String email) {
        if (StrUtil.isBlank(email)) {
            return;
        }
        AdminUserDO user = userMapper.selectByEmail(email);
        if (user == null) {
            return;
        }
        // 如果 id 为空，说明不用比较是否为相同 id 的用户
        if (id == null) {
            throw exception(USER_EMAIL_EXISTS);
        }
        if (!user.getId().equals(id)) {
            throw exception(USER_EMAIL_EXISTS);
        }
    }

    @VisibleForTesting
    void validateMobileUnique(Long id, String mobile) {
        if (StrUtil.isBlank(mobile)) {
            return;
        }
        AdminUserDO user = userMapper.selectByMobile(mobile);
        if (user == null) {
            return;
        }
        // 如果 id 为空，说明不用比较是否为相同 id 的用户
        if (id == null) {
            throw exception(USER_MOBILE_EXISTS);
        }
        if (!user.getId().equals(id)) {
            throw exception(USER_MOBILE_EXISTS);
        }
    }

    /**
     * 校验旧密码
     * @param id          用户 id
     * @param oldPassword 旧密码
     */
    @VisibleForTesting
    void validateOldPassword(Long id, String oldPassword) {
        AdminUserDO user = userMapper.selectById(id);
        if (user == null) {
            throw exception(USER_NOT_EXISTS);
        }
        if (!isPasswordMatch(oldPassword, user.getPassword())) {
            throw exception(USER_PASSWORD_FAILED);
        }
    }

    @Override
    @Transactional(rollbackFor = Exception.class) // 添加事务，异常则回滚所有导入
    public UserImportRespVO importUserList(List<UserImportExcelVO> importUsers, boolean isUpdateSupport) {
        // 1.1 参数校验
        if (CollUtil.isEmpty(importUsers)) {
            throw exception(USER_IMPORT_LIST_IS_EMPTY);
        }
        // 1.2 初始化密码不能为空
        String initPassword = configApi.getConfigValueByKey(USER_INIT_PASSWORD_KEY).getCheckedData();
        if (StrUtil.isEmpty(initPassword)) {
            throw exception(USER_IMPORT_INIT_PASSWORD);
        }

        // 2. 遍历，逐个创建 or 更新
        UserImportRespVO respVO = UserImportRespVO.builder().createUsernames(new ArrayList<>())
                .updateUsernames(new ArrayList<>()).failureUsernames(new LinkedHashMap<>()).build();
        importUsers.forEach(importUser -> {
            // 2.1.1 校验字段是否符合要求
            try {
                ValidationUtils.validate(BeanUtils.toBean(importUser, UserSaveReqVO.class).setPassword(initPassword));
            } catch (ConstraintViolationException ex){
                respVO.getFailureUsernames().put(importUser.getUsername(), ex.getMessage());
                return;
            }
            // 2.1.2 校验，判断是否有不符合的原因
            try {
                validateUserForCreateOrUpdate(null, null, importUser.getMobile(), importUser.getEmail(),
                        importUser.getDeptId(), null);
            } catch (ServiceException ex) {
                respVO.getFailureUsernames().put(importUser.getUsername(), ex.getMessage());
                return;
            }

            // 2.2.1 判断如果不存在，在进行插入
            AdminUserDO existUser = userMapper.selectByUsername(importUser.getUsername());
            if (existUser == null) {
                userMapper.insert(BeanUtils.toBean(importUser, AdminUserDO.class)
                        .setPassword(encodePassword(initPassword)).setPostIds(new HashSet<>())); // 设置默认密码及空岗位编号数组
                respVO.getCreateUsernames().add(importUser.getUsername());
                return;
            }
            // 2.2.2 如果存在，判断是否允许更新
            if (!isUpdateSupport) {
                respVO.getFailureUsernames().put(importUser.getUsername(), USER_USERNAME_EXISTS.getMsg());
                return;
            }
            AdminUserDO updateUser = BeanUtils.toBean(importUser, AdminUserDO.class);
            updateUser.setId(existUser.getId());
            userMapper.updateById(updateUser);
            respVO.getUpdateUsernames().add(importUser.getUsername());
        });
        return respVO;
    }

    @Override
    public List<AdminUserDO> getUserListByStatus(Integer status) {
        return userMapper.selectListByStatus(status, UserTypeEnum.ADMIN.getValue());
    }

    @Override
    public List<AdminUserDO> getMemberListByStatus(Integer status) {
        return userMapper.selectListByStatus(status, UserTypeEnum.MEMBER.getValue());
    }

    @Override
    public boolean isPasswordMatch(String rawPassword, String encodedPassword) {
        return passwordEncoder.matches(rawPassword, encodedPassword);
    }

    /**
     * 对密码进行加密
     *
     * @param password 密码
     * @return 加密后的密码
     */
    private String encodePassword(String password) {
        return passwordEncoder.encode(password);
    }

    @Override
    public Long createMember(MemberCreateReqVO reqVO,Integer status) {
        // 校验账户配合
        tenantService.handleTenantInfo(tenant -> {
            long count = userMapper.selectCount();
            if (count >= tenant.getAccountCount()) {
                throw exception(USER_COUNT_MAX, tenant.getAccountCount());
            }
        });
        // 校验正确性
        validateMemberForCreateOrUpdate(null, reqVO.getUsername(), reqVO.getMobile(), reqVO.getEmail());
        final String decryptPassword = SM2Util.decrypt(reqVO.getPassword(), jproProperties.getClientSm2PrivateKey());
        validatePassword(decryptPassword);
        // 插入用户
        AdminUserDO user = UserConvert.INSTANCE.convert(reqVO);
        user.setStatus(status);
        user.setNickname(reqVO.getUsername());
        user.setPassword(encodePassword(decryptPassword)); // 加密密码
        userMapper.insert(user);
        return user.getId();
    }

    @Override
    @LogRecord(type = SYSTEM_MEMBER_TYPE, subType = SYSTEM_MEMBER_UPDATE_SUB_TYPE, bizNo = "{{#updateReqVO.id}}", success = SYSTEM_MEMBER_UPDATE_SUCCESS)
    public void updateMember(MemberUpdateReqVO updateReqVO) {
        // 校验正确性
        AdminUserDO oldUser = validateMemberForCreateOrUpdate(updateReqVO.getId(), updateReqVO.getUsername(), updateReqVO.getMobile(), updateReqVO.getEmail());
        // 更新用户
        AdminUserDO updateObj = UserConvert.INSTANCE.convert(updateReqVO);
        userMapper.updateById(updateObj);
        // 记录操作日志上下文
        LogRecordContext.putVariable(DiffParseFunction.OLD_OBJECT, BeanUtils.toBean(oldUser, MemberUpdateReqVO.class));
        LogRecordContext.putVariable("user", updateObj);
    }

    @Override
    public void updateMemberPassword(Long id, UserProfileUpdatePasswordReqVO reqVO) {
        // 校验旧密码密码
        final String decryptOldPassword = SM2Util.decrypt(reqVO.getOldPassword(), jproProperties.getClientSm2PrivateKey());
        validateOldPassword(id, decryptOldPassword);
        final String decryptPassword = SM2Util.decrypt(reqVO.getNewPassword(), jproProperties.getClientSm2PrivateKey());
        validatePassword(decryptPassword);
        // 执行更新
        AdminUserDO updateObj = new AdminUserDO().setId(id);
        updateObj.setPassword(encodePassword(decryptPassword)); // 加密密码
        updateObj.setPasswordChangeDate(LocalDateTime.now()); //主动修改密码时间
        userMapper.updateById(updateObj);
    }

    @Override
    @LogRecord(type = SYSTEM_MEMBER_TYPE, subType = SYSTEM_MEMBER_UPDATE_PASSWORD_SUB_TYPE, bizNo = "{{#id}}", success = SYSTEM_MEMBER_UPDATE_PASSWORD_SUCCESS)
    public void updateMemberPassword(Long id, String password) {
        // 校验用户存在
        validateUserExists(id);
        final String decryptPassword = SM2Util.decrypt(password, jproProperties.getClientSm2PrivateKey());
        validatePassword(decryptPassword);
        // 更新密码
        AdminUserDO updateObj = new AdminUserDO();
        updateObj.setId(id);
        updateObj.setPassword(encodePassword(decryptPassword)); // 加密密码
        updateObj.setPasswordResetDate(LocalDateTime.now()); //重置密码时间
        userMapper.updateById(updateObj);
        LogRecordContext.putVariable("newPassword", encodePassword(decryptPassword));
        LogRecordContext.putVariable("user", getUser(id));
    }

    @Override
    public void updateUserProfile(Long id, com.jpro.module.system.api.user.vo.UserProfileUpdateReqVO reqVO) {
        updateUserProfile(id, UserConvert.INSTANCE.convert(reqVO));
    }

    @Override
    public void updateUserPassword(Long id, com.jpro.module.system.api.user.vo.UserProfileUpdatePasswordReqVO reqVO) {
        reqVO.setNewPassword(SM2Util.decrypt(reqVO.getNewPassword(), jproProperties.getClientSm2PrivateKey()));
        reqVO.setOldPassword(SM2Util.decrypt(reqVO.getOldPassword(), jproProperties.getClientSm2PrivateKey()));
        updateUserPassword(id, UserConvert.INSTANCE.convert(reqVO));
    }

    private AdminUserDO validateMemberForCreateOrUpdate(Long id, String username, String mobile, String email) {
        // 关闭数据权限，避免因为没有数据权限，查询不到数据，进而导致唯一校验不正确
        DataPermissionUtils.executeIgnore(() -> {
            // 校验用户存在
            validateUserExists(id);
            // 校验用户名唯一
            validateUsernameUnique(id, username);
            // 校验手机号唯一
            validateMobileUnique(id, mobile);
            // 校验邮箱唯一
            validateEmailUnique(id, email);
        });
        return getUser(id);
    }

    /**
     * 检查密码复杂度 长度 和弱密码等，这里的密码是明文密码
     *
     * @param password
     */
    void validatePassword(String password) {
        final CommonResult<GlobalConfigRespVO> globalConfigResp = globalConfigApi.getGlobalConfig();
        if (globalConfigResp.isSuccess()) {
            final GlobalConfigRespVO globalConfigRespData = globalConfigResp.getData();
            final SecurityConfig securityConfig = globalConfigRespData.getSecurityConfig();
            final String passwordPattern = securityConfig.getPasswordPattern();
            //长度检查
            if (password.length() < securityConfig.getPasswordMinLength()) {
                throw exception(CMS_SECURITY_PASSWORD_SHORT, securityConfig.getPasswordMinLength());
            }
            if (password.length() > securityConfig.getPasswordMaxLength()) {
                throw exception(CMS_SECURITY_PASSWORD_LONG, securityConfig.getPasswordMaxLength());
            }
            //验证密码复杂度
            if (!ReUtil.isMatch(passwordPattern, password)) {
                throw exception(CMS_SECURITY_PASSWORD_PATTERN, EnumPasswordRule.getRuleDesc(securityConfig.getPasswordStrength()));
            }
            //开启弱密码并且无法提交
            if (securityConfig.isWeakPasswordCheck() && EnumWeakPasswordProcessMode.PROCESS_MODE_FOBIDDEN.getCode().equals(securityConfig.getWeakPasswordProcessMode())) {
                if (securityConfig.getWeakPasswordList().contains(password)) {
                    throw exception(CMS_SECURITY_PASSWORD_WEEK);
                }
            }
        }
    }

    public CheckPasswordRespVO checkPwd(String password) {
        final String decryptPassword = SM2Util.decrypt(password, jproProperties.getClientSm2PrivateKey());
        CheckPasswordRespVO respVO = new CheckPasswordRespVO();
        respVO.setSuccess(true);
        try {
            validatePassword(decryptPassword);
        } catch (ServiceException e) {
            respVO.setSuccess(false);
            respVO.setMsg(e.getMessage());
        }
        return respVO;
    }

    public CheckPasswordRespVO checkWeakPwd(String password) {
        final String decryptPassword = SM2Util.decrypt(password, jproProperties.getClientSm2PrivateKey());
        CheckPasswordRespVO respVO = new CheckPasswordRespVO();
        respVO.setSuccess(true);
        try {
            final CommonResult<GlobalConfigRespVO> globalConfigResp = globalConfigApi.getGlobalConfig();
            if (globalConfigResp.isSuccess()) {
                final GlobalConfigRespVO globalConfigRespData = globalConfigResp.getData();
                final SecurityConfig securityConfig = globalConfigRespData.getSecurityConfig();
                //开启弱密码
                if (securityConfig.isWeakPasswordCheck() && EnumWeakPasswordProcessMode.PROCESS_MODE_TIP.getCode().equals(securityConfig.getWeakPasswordProcessMode())) {
                    if (securityConfig.getWeakPasswordList().contains(decryptPassword)) {
                        throw exception(CMS_SECURITY_PASSWORD_WEEK);
                    }
                }
            }
        } catch (ServiceException e) {
            respVO.setSuccess(false);
            respVO.setMsg(e.getMessage());
        }
        return respVO;
    }

    @Override
    public void lockUser(UserLockReqVO reqVO) {
        // 更新状态
        AdminUserDO updateObj = new AdminUserDO();
        updateObj.setId(reqVO.getId());
        updateObj.setStatus(EnumUserStatus.DISABLE.getStatus());
        updateObj.setDisableReason(reqVO.getLockReason());
        userMapper.updateById(updateObj);
    }

    @Override
    public boolean getNeedChangePwd() {
        final CommonResult<GlobalConfigRespVO> globalConfigResp = globalConfigApi.getGlobalConfig();
        if (globalConfigResp.isSuccess()) {
            final LoginUser loginUser = SecurityFrameworkUtils.getLoginUser();
            final GlobalConfigRespVO globalConfigRespData = globalConfigResp.getData();
            final SecurityConfig securityConfig = globalConfigRespData.getSecurityConfig();
            final AdminUserDO user = getUser(loginUser.getId());
            //首次登录是否强制要求修改密码&登录次数小于等于1
            if (securityConfig.isFirstLoginChangePasssword() && user.getLoginCount() <= 1) {
                return true;
            }
            //重置密码后首次登录是否强制要求修改密码 & 密码被重置时间大于最后修改密码时间
            if (securityConfig.isResetChangePasssword() && user.getPasswordResetDate() != null
                    && user.getPasswordResetDate().isAfter(user.getPasswordChangeDate())) {
                return true;
            }

            //密码最长使用天数。可以将密码设置为在某些天数(介于 1 到 999 之间)后到期，或者将天数设置为 0，指定密码永不过期。
            if (securityConfig.getPasswordMaxDays() > 0) {
                //密码的最后修改时间 没有修改则是创建时间
                LocalDateTime passwordLastChangeDate = user.getPasswordChangeDate() != null ? user.getPasswordChangeDate() : user.getCreateTime();
                final long betweenDays = LocalDateTimeUtil.between(passwordLastChangeDate, LocalDateTime.now(), ChronoUnit.DAYS);
                if (betweenDays >= securityConfig.getPasswordMaxDays()) {
                    return true;
                }
            }
        }
        return false;
    }

    @Override
    public Long getNotifyChangePwd() {
        final CommonResult<GlobalConfigRespVO> globalConfigResp = globalConfigApi.getGlobalConfig();
        if (globalConfigResp.isSuccess()) {
            final LoginUser loginUser = SecurityFrameworkUtils.getLoginUser();
            final GlobalConfigRespVO globalConfigRespData = globalConfigResp.getData();
            final SecurityConfig securityConfig = globalConfigRespData.getSecurityConfig();
            final AdminUserDO user = getUser(loginUser.getId());
            //密码过期提前警告天数大于0 & 密码最长使用天数大于0
            if (securityConfig.getPasswordWarnDays() > 0 && securityConfig.getPasswordMaxDays() > 0) {
                //密码的最后修改时间 没有修改则是创建时间
                LocalDateTime passwordLastChangeDate = user.getPasswordChangeDate();
                final long betweenDays = LocalDateTimeUtil.between(passwordLastChangeDate, LocalDateTime.now(), ChronoUnit.DAYS);
                if (betweenDays >= (securityConfig.getPasswordMaxDays() - securityConfig.getPasswordWarnDays())) {
                    //密码最大有效时间
                    final LocalDateTime passwordMaxValidDate = LocalDateTimeUtil.offset(passwordLastChangeDate, securityConfig.getPasswordMaxDays(), ChronoUnit.DAYS);
                    //密码剩余有效天数
                    final long remainingValidDays = LocalDateTimeUtil.between(LocalDateTime.now(), passwordMaxValidDate, ChronoUnit.DAYS);
                    //历史数据创建时间比较早，给0
                    if (remainingValidDays < 0) {
                        return 0L;
                    }
                    return remainingValidDays;
                }
            }
        }
        return 0L;
    }

    @Override
    public boolean getEnableTwoFactor() {
        TenantContextHolder.setTenantId(CMS_TENANT_ID);
        final CommonResult<GlobalConfigRespVO> globalConfigResp = globalConfigApi.getGlobalConfig();
        if (globalConfigResp.isSuccess()) {
            final GlobalConfigRespVO globalConfigRespData = globalConfigResp.getData();
            final SecurityConfig securityConfig = globalConfigRespData.getSecurityConfig();
            return securityConfig.isTwoFactor();
        }
        return false;
    }

    @Override
    public AdminUserDO getUserByEmail(String email) {
        return userMapper.selectByEmail(email);
    }
}
